Sweet Land of Databases

In “Stuck on the No-Fly List,” Ryan Singel discusses the procedure for, no not getting off the list [1], but for getting onto yet another “cleared” list.[2] Confused? I was too. The head of the Terrorist Screening Center [3] told me recently that I’d mixed up “No-Fly” and “Selectee.” As Daniel Solove explains in “Secure Flight: A Lesson in What Not to Do,” that’s understandable, the system is as transparent as mud. Professor Solove is commenting on the report the Secure Flight Working Group wrote. He also explains why that lack of transparency is bad for society. One of the working group members, Bruce Schneier writes about the release:

I had given up on the process, sick of not being able to get any answers out of TSA, and believed that the report would end up in somebody’s desk drawer, never to be seen again. I was stunned when I learned that the ASAC made the report public.

One of the issues that Schneier mentions is that there’s no simple explanation of what the goal of secure flight is. As I’ve mentioned recently, I’m something of a requirements-crafting geek, and so this makes me doubly sad.

In related makes-me-sad news, the Washington Post has a story about “Bill Would Permit DNA Collection From All Those Arrested.” It’s pretty clear that this data will be analyzed and stored by commercial data brokers and gossip-mongers who will sell it to your health insurer, and anyone else who has a nickel. Victims of identity theft will be further-screwed, as the fraudster’s DNA precedes theirs in seeding the databases.

Finally, in a bit of overseas news from our liberty-loving friends in Airstrip One England, Europhobia has an explanation of “Lords to decide on allowing evidence extracted by torture.”

And now for the footnotes, because I couldn’t work all of my comments into the flow of the text:

[1] You silly goose! No one gets off the list!
[2] The actual procedure, as Singel explains in “Nun Terrorized by Terror Watch,” is to call your powerful friends. Don’t have powerful friends? Ooooh! So sad! Better make some if you’d like to spend less than five or six hours being harassed before each flight.

[3] Shouldn’t that be Terrorist-Screening Center? Left unhyphenated, ‘terrorist’ modifies ‘center,’ not ‘screening.’ On second thought, maybe they have it right.

Cardsystems Breach and Notice

On Friday, San Francisco judge Richard Kramer ruled against the idea that Cardsystems (or Visa or Mastercard) had to provide 1386 notice to people.
Some articles are “Visa, MasterCard Win Battle Over Breach” and “Credit card companies can keep data ID theft secret.” But the article worth reading is CNet’s “Judge holds off disclosure in credit card heist,” which makes clear that:

San Francisco Superior Court Judge Richard Kramer denied a request for a preliminary injunction that would require the credit card companies to tell individual California credit card holders that their accounts are at risk of fraud after a widely publicized digital break-in at CardSystems Solutions. Payment processor CardSystems and Merrick Bank are also defendants in the case. (emphasis mine.)

Its unfortunate that none of the reporters has mentioned that 1386, which the judge accurately and worryingly describes as “a relatively new statute that
has been untested,” clearly explains that notice is imperative, in both section 1(e):

According to the Attorney General, victims of identity theft
must act quickly to minimize the damage; therefore expeditious
notification of possible misuse of a person’s personal information is
imperative.

and in the specifics. (For one example, 1798.82, “The
disclosure shall be made in the most expedient time possible and
without unreasonable delay..”)

In this particular case, I don’t share that sense of urgency, since its about
credit cards, not SSNs. But that’s not my determination to make, and I find
the judge’s choice to disregard the clearly reiterated intent of the legislature a bit suprising. Maybe some of my lawyer readers could comment?

Never Enough

After the 7/7 London bombings, France decided it was not enough. So, even though France has already one of the toughest anti-terrorism judicial arsenal in Europe, it is adding to it. Indeed, French newspaper Le Monde just revealed the clauses of the new anti-terrorist law due to be formally presented to the government on October 19.
Here is a rundown of the major changes:…very fast procedure to freeze assets after a decision from the Economy Minister…major expansion of video surveillance…

When does it become enough? When will we have sacrificed enough liberty to be safe? Your assets can be frozen without a court even becoming involved. If these measures are effective, why do we keep piling them on?

Read France Cancels Egalité, Fraternité, tooFrance is adding to her CT arsenal” at the CounterTerror blog.

Judging Wines By Their Labels

phelps-insignia.jpg
Stefan Geens has an entertaining post about “how to judge a wine by its label:”

Therein lies the secret as to why you really can judge wine by its label: Companies where the management has an atrocious taste in labels tend to be the old-school type, uncertain about innovation, parochial about marketing and under the impression that serifs imply prestige. Anyone relying on serifs to get a leg up in the wine stakes is suspect, methinks. A surfeit of colors or an overly florid arrangement of castles and gold leaf also bodes ill for the wine, much like a painter who prefers his works in elaborate gilded frames. Instead, extensive testing confirms that a sans serif font and white space on a wine label constitute a secret sign, a wink by the vintner that their approach to winemaking matches your approach to typography and graphic design. Use this knowledge as a shortcut to good wine.

It’s too bad he’s wrong. Look at that label. Just look at it. Serifs everywhere! Curlicues galore on a burgundy backing. Gold foil! And even two gilded frames! Every single listed element of “atrocious taste in labels.” So if anyone would like to trade one of those for some Albak de Elviwines 2003, I’m happy to help you out.

Would it tip my hand to offer to go two-for-one?

More Toys: Suicide Bomber Barbie

suicide-barbie.jpg
Yes, its suicide bomber Barbie! Click the picture for a few more views.

Toy supplier Shuki Toys, responsible for the distribution of the stickers, said in response, “We were very surprised to see the stickers in the shop, the several sheets of stickers have been pulled of the shelves.”

“We check all the stickers, thousands of them. We must have missed these ones. If we would have seen the stickers earlier, obviously we would not have distributed them. The stickers were only distributed to the one store.”

(Read the story, New for children: Blonde ‘bombshell’,” or if you prefer, “משחק: כך מוכרים בארץ “בובה מתאבדת.”)

Something about the store’s reaction reminds me of ““The Offending Articles Will Be Disposed Of,” although I’m certainly not claiming any equivalence between the offending items.

While I’m talking about the glorification and normalization of suicide-murder, Second Draft has a long investigation of what’s in the raw footage taken by “Palestinian photographers working for major western media outlets.” Unfortunately, it’s either Windows Media or large DIVX downloads. It’s fascinating and disturbing viewing.

From The Mouths of Toymakers

tsa-playmobil.jpg
We all understand that Ryan Singel deserves a break from reporting on stories like “TSA Chief Nixes Commercial Databases” or “Advisory Panel: Delay Secure Flight” or even “[TSA] Advisory Panel Report Made Public.” Reporting on the duckspeakers and their plans to grope us all in the name of liberty is enough to wear anyone down. Despite that, folks like Ed Hasbrouck keep going, with posts like “Whither “Secure Flight”?” as does Daniel Solove, in “TSA for Tots and Scaling Back Secure Flight.”

Lord knows that the General Accounting Office accusing the TSA of lawbreaking isn’t enough. Close congressional scrutiny isn’t enough to slow these folks down. No, they have your best interests at heart, and nothing is going to derail their good intentions.

Maybe that’s why, in releasing their “Security Check-in” product, Mattel chose to re-imagine the white, jacketless TSA uniforms with black jackets and a cap that could well have an eagle and swastika on it. [Since my links are usually pretty direct, I’ll add that you might find the ironic linking in this paragraph either clarifying or entertaining.]

So I’m glad Ryan had a chance to visit a toystore, and find “Toys for All the Boys and Girls.”

Apple Security Update 2005-08

There’s a new security update from Apple, for both 10.3.9 and 10.4.2. If you browse the internet, or read email, you need it. I’m getting really annoyed at Apple’s update mechanisms. Not only the agreeing to a new license as part of the update, but the awful way in which they’re arranged. The technical data on this update is in “About Security Update 2005-008.”

The very first issue, (CAN-2005-2747) is appropriately ordered: it’s an overflow in GIF interpretation in a (10.4) system library used by Safari. Then there are 2 mail issues, which I don’t rate as critical, a malloc local privilege escalation, and only then are we told about CAN-2005-2747, a buffer overflow in Quickdraw manager, which several important apps rely apon. Yesterday, I stopped reading before number five, thinking we were into local system attacks.

Added 24 Sept: It’s a shame that a company known for usability can’t make these things usable. See also “All Mac Browsers are crap.”

Anyway, time to update.

Chinese Censorship

china-jail.jpg
Rebecca MacKinnon has the story on how AOL is refusing to collaborate on blocking freedom in China, in “Internet Censorship & Corporate Choices.” Companies do have a choice, and the choices they make matter a great deal. Security technologies that help protect people from their governments are not yet internationalized and easy to use. So many Chinese are quite practically constrained by the choices that companies like Yahoo! make.

Kudos to AOL Chairman Richard Parsons for saying:

Time Warner thought about “what we would look like here in the U.S. if we agreed to a governmentally imposed regime where words like democracy had to be blocked,” Parsons said. “We made a judgment that it wasn’t a market that we wanted to enter in this way at this time.”

If more companies made that choice, Chinese censors would be more constrained in their actions. Corporate costs would be lower, and profits higher. There’s some game theory here: When a few companies defect, they will do well, but all would do better by cooperating and supporting freedom.

Real ID, Real Unfunded Mandate, Real Unnecessary

It seems to be standard that major new government programs cost more than we expect. Federal Computer Week has a story, “Real ID costs rising:”

Earlier this year, Congressional Budget Office officials said nationwide implementation of the Real ID Act would cost $100 million in five years. The act requires minimum national standards and physical features, including biographic and biometric data, for machine-readable driver’s licenses and personal identification cards within three years.

But Larry Dzieza, budget director of the Department of Licensing in Washington state, estimated that the state might need to spend $97 million in the next two years to implement the mandated provisions. He added that Pennsylvania estimates spending $100 million, while Virginia’s cost could be $232 million, including a one-time expense of $167 million and $66 million in ongoing annual costs.

The Real ID act will make Americans less safe, by increasing the number of ID checks, and the motivation and incentive to obtain fraudulently issued ID. It will subject us all to greatly increased risks of ID theft. It will cost us up front, and it will cost us in ongoing pain.

Security Implications of Economics of ID Cards

Some of the precepts that proponents of national ID often put forth is that it can make “illegal immigration more unpleasant for immigrants,” or “a national ID system has some substantial potential to be the cornerstone of a national fraud-prevention system.”

These are attractive notions, but will not be borne out in reality. Actually, the first will, but only because a national ID will make life more unpleasant for us all, illegal immigrants included.

Let’s presume that national ID cards would be deployed for these purposes. Will the illegal immigrants and identity thieves just give up? No. They’ll find cracks in the system. Those might involve people in the various issuing offices who can be corrupted. They might involve people breaking into computers and causing cards to be issued through the mail. (Expect that all cards will be mailed, to ensure that the address you give is somewhat reliable.) They might involve someone stealing important cryptographic keys and issuing their own cards. They might simply involve college students printing them up in dorm rooms.

What will happen is that the value of these cards will increase until the market finds a solution. And when it does, that solution will be valuable indeed.

So we won’t have secure issuance. But the issuance system will be deemed secure. It will be referred to as a secure system. And as such, when Alice is using your identity for her job picking grapes, or Bob shows an ID card with your name and SSN on it to get a bank account, there will be a presumption that it was you.

You thought it was hard to recover from ID theft today? You ain’t seen nothin’ yet.

This post is motivated because, as Michael Froomkin is blogging, there’s a “National ID Forum Underway.”

So, some specific responses to his points. He mentions (point 8) that the ID theft problem is made worse, but not that it is made inevitable and required by 15 million illegal immigrants. Whatever you think of illegal immigration, the economic impact of rounding up and kicking those people out would be devastating in (at least) the construction and agricultural sectors. It would also remove a huge source of free money being paid into the social security system. So, some valve will be opened, and the most likely one is 15 million new victims of identity theft. Other identity thieves will ride the coat-tails of that wave of criminality.

Froomkin does say “IV. The ID must be transparent — end users must be able to read everything coded on the ID itself.” But this is not possible. With cryptographic subliminal channels, the issuers will be able to encode extra information into the cards, and it will be undetectable.

I’m not participating in the forum. At the end of all of this, national ID is un-American, and we all know it.

“Every Valid Vote?”

Kip Esquire continues his coverage in “ACLU Sues to Block Georgia Voter ID Law,” and closes, like he did a comment on my last post on the subject:

Always remember, it’s not about “making every vote count,” but rather “making every valid vote count.”

I don’t think this works as a requirements statement. First, it feels tautological. Second, within that ‘every valid vote’ is a great deal of wiggle room. I know Kip doesn’t mean this, but his definition doesn’t exclude Jim Crow laws and ‘how many bubbles are in a bar of soap’ questions. Every valid vote was counted. The elections held under those rules disenfranchised blacks. Not what we want. Most importantly, the rule feels narrow and disconnected from the real purpose of an election, which is to facilitate a peaceful transfer of legitimate power by gauging the will of the people.

Small Bits on Security

  • “Security cameras certainly aren’t useless. I just don’t think they’re worth it.” So comments Bruce Schneier on the news that “Cameras Catch Dry Run of 7/7 London Terrorists.”
  • Richard Beitjich comments on “Citadel Offers Product Security Warranty.” I think Richard nails it with his analysis that “There are probably enough loopholes through which one could drive a truck, but I do not recall any sort of warranty like this elsewhere. Citadel may have just pushed the bar a little higher for those who do not offer similar assurances.”
  • Saar Drimer is covering a “clever ‘car-identity theft’ con uncovered in Israel,” with an interesting tie to the uselessness of checking ID: Apparently the folks who are responsible for car transfer look at the IDs of the buyer and the seller, but never look at the droids car.
  • Kenneth Belva examines the question of “How It’s Difficult to Ruin a Good Name: An Analysis of
    Reputational Risk
    .” It seems that this is a line of research outside the Economics and Information Security community. (The question of how to get academics and practitioners to collaborate is one I’d love to see solved.)

  • Richard Diamond sends news of Edmonton Cops scheming to frame a journalist who criticized photo radar program:

    Edmonton police deliberately used a restricted database to gather
    information on a journalist who wrote anti-camera columns. With the
    information, cops tried to set up a sting to arrest him for drunk
    driving. Except some pesky journalists happened to have police
    scanners and blew the lid off of the operation. (And this is just one
    of three photo radar scandals in the city!)

    See “Testimony Heard Regarding Edmonton Police Attempt to Arrest Journalist.” (Via Dave Farber’s IP list.)

  • Finally, at the CounterTerror blog, Victor Comras comments on the “Suspicious Activity Reporting requirements” for furriners in “Tightening Up on Correspondent Accounts for Non-US Persons:” “But these rules have turned out to be a much more controversial matter than originally envisaged, and have provoked the ire of banking managers across the country.” He goes on:

    The number of Suspicious Activity Reports (SARs) filed in recent years has burgeoned beyond proportion. FinCen had to wade through some 14.8 million reports from financial institutions last year, including 663,655 SARs, an increase of over 250,000 in one year. Most of these are generated by computer programs and subjected to only minimal manual review. Only a very small handful of these SARs actually lead to any further investigation, giving rise to concern that the “wheat is being lost in the chafe”

You Don’t Need To See His Identification

If you’re a jack-booted thug, one of the saddest moments in Star Wars is when Obi-Wan Kenobe and Luke Skywalker slip past the Imperial Stormtroopers, out looking for stolen property. Had the Stormtroopers been a little more on the ball, all of those innocents on the Death Star would still be alive.

You may not be surprised to find I have a different take on matters.
Luke Skywalker and Ben Kenobi in Mos Eisley

TROOPER: How long have you had these droids?

LUKE: About three or four seasons.

BEN: They’re for sale if you want them.

TROOPER: Let me see your identification.

BEN: You don’t need to see his identification.

TROOPER: We don’t need to see his identification.

BEN: These are not the droids your looking for.

TROOPER: These are not the droids we’re looking for.

BEN: He can go about his business.

TROOPER: You can go about your business.

Notice start of a perhaps useful line of questioning: How long have you had these droids… which could be followed with a series of in depth-questions. But instead the trooper goes to an identification check. Not like the Empire has any idea who its searching for on remote Tatooine. But that’s not the point of the roadblock. The point of the roadblock is to find a pair of droids, and the trooper becomes distracted by a desire to see some id. (Maybe he was about to offer Luke a drink?) The two droids the Stormtrooper is looking for are right there in front of him. Why doesn’t he look at them? (Presumably, they have Driod ID numbers engraved at the factory.) But its simpler and easier to check identification papers, rather than to examine the scene. The bureaucratic impulse crawls to the forefront of this rapidly aging clone’s mind.

It’s an impulse we see all too often: It’s easier to check ID than it is to make a judgment call. Maybe we can defer to the computer. We can fail to fix the voter registration system, and just check their IDs. We fail to secure the airplanes, and just check IDs. We let a fellow with a bloody sword into the country, but we checked his ID.

Better to take Obi Wan’s advice: You don’t need to see his identification.

Thoughts on Chapell’s View

Alan Chapell has some interesting thoughts in “CONSUMER WATCH: Localities put private data in harm’s way:”

As an aside, some might argue that there’s little distinction between “evil doer” and “data broker”. I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in.

Of course, the trouble with choking off data flow is that it tends to be contrary to the concept of a free society. And since none of us seem to want to live under an EU privacy regime, then what’s a privacy conscious American to do?

First, I think that Chapell is spot on here: The gossip-mongers would love to trade higher costs in the form of regulation for limits on their liability and high barriers to entry.

Second, the industry relies heavily on government subsidies, in the form of social security numbers, and data collected under threat of legal penalties. (Like the property registers in the article Chapell quotes, or DMV records, or voting lists.) In a free society, I can choose to be known by whatever name I like. That is a right long established in the common law. We can impose regulations on the product of government action without making ourselves less free.

If the gossip-mongers work as entities in a free society, they should be free to do what they want. But if they want to touch data issued by, or authenticated by the government, that’s their choice. When doing so, they must accept the societal good of controls on their activities.